Best usb-ethernet adapter for pfsense?

Been watching the videos for a while and decided I would ask a question here. I’ve seen the same asked at the pfsense forums, and the answer is always the same, just don’t.

And since I started with pfsense on a box with one USB adapter, I certainly know why this is the answer. But times are different now and I’m hoping someone can help point the way.

At work I have a Supermicro server running now. With the current global problem, I’ve been forced to work from home as much as possible. So I tried putting some pieces together to build a site to site openVPN connection between my work network, and my home lab at home. At first I tried my GL AR750s pocket router since it supports some level of openVPN. Never did get it working, and one other person tried the same and gave up. Next choice was using an old Foxconn bookshelf computer that only has a single Ethernet connection. No vlans aren’t going to be the choice with the rest of the home network. Put a usb-ethernet on it for the lan side, and clamped a chunk of aluminum to the case for a heatsink. This worked fairly well at work when I had no choice, but I wasn’t pushing much throughput back then. Today after a couple weeks of running, I was watching the live stream and RDP into several computers when the connection locked up. Much messing around later and a different adapter and I’m back in service.

What I need is a decent USB adapter that has a compatible chipset and won’t overheat. Only advice on the pfsense forums is an AX8xxxx chipset adapter. If you have one you’ve been using really hard, let me know.

My home pfsense box has USB 2 and 3.0. My home connection is Spectrum, so my rates suck at around 70mbps down and a whopping 6mbps up. As you can see, speed issues from openVPN are not really a concern. And only traffic going to my work network goes across the VPN.

Does it have to be USB, can’t fit a PCI card in the machine somehow? Personally I would look into the VLAN trick, as I know a few people have it running on NUCs this way.

Nope, no slots. It’s a little book sized computer.

Pluggable brand USB3-HUB3ME hub/ethernet adapter is slow. Looking around form one I brought home from work to test.

Cheapo generic AX88xx white plastic USB 2 gives me full speed 70/6mbps with a speed test, too bad these are the ones that overheat because they do work fine up to almost 100mbps when I was using one at work. Going to cut the plastic case off today and see if I can make a better heat path to some aluminum for a sink.

I might just give up and try an old HP T610 Plus thin client with an ethernet card installed. Getting kind of old and not much info on them with pfSense other than one or two people talking about install issue with 2.4 but 2.35 installed fine, then upgrade to 2.4x. Not sure I want to toss the $70 out on a test with something that low power, not going to do much more for me if pfsense fails.

It sounds like you are trying to catch your tail.

If I was you I would either buy a Raspberry Pi, install openVPN and plug that into your current router or buy a cheap box off eBay with multiple ethernet ports. With your internet speeds you can easily saturate your lines with basic kit.

Oh yeah … good luck with finding anything except v2.4.5, you won’t be able to download anything earlier.

Not too hard to find 2.3.5 http://linorg.usp.br/pfsense/downloads/

RPi only has a single Ethernet so I would be back to router on a stick, and if that was possible, I’d be doing that now. Tons of cheap thin clients on eBay with a single Ethernet connection for those that can do router on a stick, some as cheap as $20 after shipping and tiny and very low power.

Going to keep looking and see what I can find for some kind of industrial usb-Ethernet device and see if the cost is decently low. Cost is an issue, so is noise and power. If noise and power were no issue, I’d just bring home an old Supermicro X7 series 2u server and fire it up. Our utility bill for the past month has really shot up with 2 people working from home. And I’m still waiting to get laid off, I can see it coming, just don’t know when. Probably after the semester officially ends in May and they decide I’m not needed to support classes for a few months.

For the time being, I drilled holes in the plastic case to try and vent the cheap usb2 device, also put it on an extension to move it away from some heat and clamp it to a blank rack panel.

Wow, I definitely would not download PfSense from anywhere except the official site!

It looks like it’s Netgate’s policy to remove their old version as soon as they release a new version.

DO NOT BUY A USB TO GIGABIT ADAPTOR!!
I used to use one and it was a nightmare, All ways disconnecting and sometimes breaking my entire internet connection.

I recommend buying a VLAN capable switch to trunk the connection. If you need any help I would be happy to help you set it up. I am using the SG105E I think.

I used to use a pluggable usb3 adapter connected to a laptop for my main home router running pfsense and while it was fine when my internet connection was 50mbps, the second I upgraded to 200mbps I had to build a new firewall. When using it for my 50mbps connection, it would get a lot of rx errors on the interface…I was still able to get my expected full speeds however it’s never a good sign seeing rx or rx errors

My new home router ended up being another laptop that had an expresscard slot which I then connected a gigabit adapter to. That connection is WAY better than USB since it connects via pci express.

I ended up buying an HP T620 plus with 4gb RAM and 16gb flash and a 4 port Intel Pro gigabit network card installed. Should be here by about Saturday. These are supposed to run at about 10 watts with this card installed, and get decent speed in routing and VPN. Also AES-NI support and the card should let me offload a bunch of overhead from the CPU.

A lot more than I wanted to spend right now, but when this is over I may change my whole home system around. I don’t really want access at home, I don’t normally get paid when working from home so I don’t want the ability when things get back to normal.

Think that’s a much better option with more flexibility. It strikes me that a home OpenVPN server ought to be run as a matter of course, all my wifi devices connect to the OpenVPN server when I’m at home, I really don’t trust WPA it always has security issues and never gets fixed.

Yes, WPA seems to be hacked faster than movie encryption.

[edit] looks like the pictures are tiny, can’t really see much. if it is important to anyone, I’ll upload to my photobucket site so you can get the full resolution [/edit]

Alright… Got the computer yesterday and spent some time cleaning the dust out of the fan and chassis. Spent a little bit of time today backing up the embedded OS with clonezilla and got pfSense installed. Once it was installed and I found the correct ethernet connections, I edited the config file backup from the other machine to update the NIC interfaces before I restored the config. Logged in, restored the config, once it rebooted everything was working. Went through and turned on AES-NI on, allowed all the TCP offload stuff to offload, and checked the logs while I checked things inside my work network. No errors and everything seems nice and fast.

With the old USB adapter, even with the air holes cut I was still getting numerous connection interruptions, not enough to take me off the system, but enough that proved this new computer was the correct choice.

Here are a few pictures so you can compare what I was using to what I am now:

IMG_14022000×3000 2.14 MB

My current lab rack, most stuff is off. The Cisco stuff is far too fluid to push into regular use besides those routers are loud. Even that bottom switch is loud. Left to right is 4 Win7 clients, little single disk FreeNAS box, Zentyal domain controller, spare nothing (white box), and former pfSense for VPN. Then the “new” HP box. Red cables are routers, yellow computers, gray are crossover, and some old Cisco direct “stacking” cables on the right sides of the upper 2 switches. Eventually I’ll replace those switches with newer 2960s and newer style stacking cables in the back (part of the current exam is “proper” stacking).

pfsenseDASH970×1257 126 KB

And the dashboard of the new machine for those that might want to read the specs. It is a VERY basic install, the only real thing I wanted was the site to site with work. If this virus mess is ever over, I’ll probably disconnect everything again and go back to just the Cisco stuff.

That said, I’m probably going to build an internal Jitsi server on one of the white boxes, and possibly a FOG server one the other. Would be a lot easier if I had my VM rig here, but it is too big ad loud to run 24/7 right now. And it draws a lot more power than I want right now. There is a desk 2 feet from where this sits and two of us working from home in the same “room”. yes the divider “blocks off” part of the room to designate it as an office, might be important for tax reasons.

If you want more info on the HP T620, there is a bunch of stuff over at Serve The Home. But the low down is that this can take at least 8GB of ram in two sockets, so with the processor on board, it should be a decent little firewall as a supplemental VPN box or main FW on smaller companies. I’d go with newer SuperMicro for bigger companies and higher importance. But these also cost 10x the price. I’m in for around $160 and that included the 4GB of RAM, 16GB SATA flash disk, and the older 4 port Intel em based network card (HP stickers on it). The fans blows straight across this NIC card to keep it cool.

I have used USB 3.0 Gigabit-to-Ethernet goobers with reasonable success.
In it’s heart-of-hearts, pfsense is FreeBSD in a Fred Astaire outfit, so given
the rates you quote for your ISP pipe, I think it should work pretty well.
If I have somehow misread the thread and this has already been failed
experimentally, sorry.

I will say that the goobers I have used are Apple
USB3-GigE and Thunderbolt-GigE flavors with no tears.
I include this factoid because MacOS and tvOS (based on NetBSD, btw)
are both notoriously picky about who they play with.

good luck.

Thankfully I’m now at the point where the USB adapters are not an issue since I’m not using them. But I may hunt down some apple branded devices and give them a try. I still think it’s valuable to have the ability to toss a USB nic on there to cover for a failed card or a temporary expansion.

That looks like some heavy duty kit
Yeah the problem with enterprise grade kit is the noise, unless you have a server room at home it will irritate. Have a Dell PE 2900, the thing sounds like a plane taking off, it sucks electricity out of the wall like nothing else. Hence it hasn’t been switched on in probably 5 years.
Though I do like those mini-pcs now, they are great, small and no noise. Have two Lenovo Thinkcentres I bought cheaply which host Proxmox and FreeNAS, no issues.

Bringing this back up after a week… The t620 is still working great, my connections into work are nice and solid. It’s quiet and runs cool for the little bit of work I’m throwing through it.

I have an Intel Pro card coming for my firewall at work so I can offload the network overhead for a little better performance on that end.

Continuing the discussion from Best usb-ethernet adapter for pfsense?:

Hey there, sorry for the late response but could you give some insight on this? Just bought the SG105e and i also have a microcomputer that I want to use as a PFSense router but cannot add NICs to it.

The short answer is that none are really great. Heat is a problem with many, and even the AX88xxx chips that used to work sort of OK are a problem now (at least all of mine were). The issue was short but frequent disconnects that can bee seen in an error log. They may be good when the load is very low, but once you start moving data, there are a lot of retransmits happening.

As someone that really wanted this to work, I’m going to say that right now it is not a good solution for anything but emergency repairs. When the case is have something buggy or have nothing, then the USB adapters can be considered.